search

Azure-Samples / active-directory-b2c-dotnet-webapp-and-webapi

A combined sample for a .NET web application that calls a .NET web API, both secured using Azure AD B2C
http://aka.ms/aadb2c
MIT License
274 stars 236 forks source link

Refresh token #89

Open MINDoSOFT opened 3 years ago

MINDoSOFT commented 3 years ago

Using the sample tenant provided I am able to get an access token and a refresh token.

The access token expires in one hour and the refresh token in 14 days.

If I try to open the Tasks page after the access token has expired, I am redirected to the b2clogin page, and a completely new access and refresh token are being retrieved.

This sounds different than what I expect after reading this.

I am expecting AcquireTokenSilent to use the refresh token to retrieve a new access token in the background.

Let me know if this is a problem with the sample or an issue with the library.

MINDoSOFT commented 3 years ago

@jmprieur it looks like when you change a configuration in the OpenIdConnectAuthenticationOptions this issue is fixed.

You need to set the UseTokenLifetime to false.

// ASP.NET web host compatible cookie manager
CookieManager = new SystemWebCookieManager(),
UseTokenLifetime = false

When you say token lifetime, it doesn't specify if it is the access token lifetime or the refresh token lifetime when it is present. And I am guessing this case is not handled by the OpenIdConnectAuthentication middleware.

jmprieur commented 3 years ago

Thanks for the heads-up @MINDoSOFT